Security in Security in VoIP NetworksVoIP Networks

Juan C PelaezJuan C PelaezFlorida Atlantic UniversityFlorida Atlantic University

What is VoIP?What is VoIP?

VoIP (Voice over Internet Protocol),VoIP (Voice over Internet Protocol),

sometimes referred to as Internetsometimes referred to as Internet

telephony, is a method of digitizingtelephony, is a method of digitizing

voice, encapsulating the digitized voicevoice, encapsulating the digitized voice

into packets and transmitting thoseinto packets and transmitting those

packets over a packet switched IPpackets over a packet switched IP

network.network.

VoIP enables people to use the Internet as the transmission medium for telephone calls. For users who have free, or fixed-price, Internet access, Internet telephony software essentially provides free telephone calls anywhere in the world. To date, however, Internet telephony does not offer the same quality (easy target of security attacks) of telephone service as direct telephone connections.

Overview of VoIP(1)Overview of VoIP(1)

Overview of VoIP(2)Overview of VoIP(2)

VoIP: yet another Internet service (Telephone, Radio, Video) over IP

Services: email/web/calendar integration,

emergency services, call scheduling, Interactive Voice Response (IVR), instant messaging, personal mobility…

VoIP ProtocolsMost implementations use H.323 protocol– Same protocol that is used for IP video.– Uses TCP for call setup– Traffic is actually carried on RTP (Real Time Protocol) which runs on top of UDP.SIP defines a distributed architecture for

creating multimedia applications, including VoIPVoIP = Transport + QoS + Signaling

Transport : RTP QoS : RTCP (Real-Time Transport Protocol) Signaling: H.323, SIP, MGCP/Megaco

Internet telephonyprotocol stack

H.323 Signaling and Media H.323 Signaling and Media ChannelsChannels

H.225.0/RAS Channel RAS(Registration, Admission & Status) control between Endpoints

(terminals, gateways, MCUs) and its Gatekeeper

H.225.0 Call Signaling Channel Call remote endpoint Establish H.245 address

H.245 Control Channel Open control channel; Terminal capability negotiation Open/close logical channels Establish UDP ports for A/V

RTP/RTCP Logical Channels for Media Stream Carry media (audio, video, data, etc.) data within logical channels

H.323 VoIP ComponentsH.323 VoIP Components

H.323 defines four logical componentsH.323 defines four logical components Terminals, Terminals, Gateways, Gateways, Gatekeepers and Gatekeepers and Multipoint Control Units (MCUs).Multipoint Control Units (MCUs).

Terminals, gateways and MCUs are Terminals, gateways and MCUs are known as endpoints.known as endpoints.

Call ControlCall SetupMedia Exchange

CallSignaling(RAS)

Call ProcessingPSTNPSTN

IP telephony IP telephony Public Switched Telephone Network

Gateway

IP PBX

VoIP requires….VoIP requires….

HandsetsHandsets

SoftphonesSoftphones

GatewaysGateways

GatekeepersGatekeepers

Conference BridgeConference Bridge

IP PBXIP PBX

H.323, SIP, MGCP/MegacoH.323, SIP, MGCP/Megaco

SOFTPHONES

IP PBXPSTN

GATEWAYMCU

PSTN

Gatekeeper

VoIP requires….(Cont.)VoIP requires….(Cont.)

Security Threats and Defense Security Threats and Defense MechanismsMechanisms

Denial-of-service (DOS)Denial-of-service (DOS)

- Separation of the voice and data - Separation of the voice and data segments using VPNssegments using VPNs

Call interception (Invasion of privacy)Call interception (Invasion of privacy)

- Encrypt VOIP traffic where possible- Encrypt VOIP traffic where possible

- Lawful interception- Lawful interception

Call Interception - ExampleCall Interception - Example

Security Threats and Defense Security Threats and Defense Mechanisms(2)Mechanisms(2)

Theft of service (Traditional fraud)Theft of service (Traditional fraud)- Getting free service or free features- Getting free service or free features- Use strong authentication- Use strong authentication- Call-processing Manager will not allow - Call-processing Manager will not allow unknown phones to be configuredunknown phones to be configured

Signal protocol tamperingSignal protocol tampering-capture the packets that set up the call. -capture the packets that set up the call. -user could manipulate fields in the data stream -user could manipulate fields in the data stream and make VOIP calls without using a VOIP and make VOIP calls without using a VOIP phone. phone.

Other Security Threats and Other Security Threats and Defense MechanismsDefense Mechanisms

Masquerading/Man-in-the-middle attacks Endpoint authentication

Spoofing/connection hijacking User/message authentication and integrity

Message manipulationMessage authentication

Virus and Trojan-horse applications

-Host based virus scanning Repudiation

- Call-processing manager

Scope of H.235Scope of H.235

AV applications Terminal control and management

RTCP

H.225.0Terminal

To GK

Signaling

(RAS)

H.225.0Call

Signaling(Q.931)

H.245Call

Control

Transport Security(TLS)

Audio

G.xxx

Video

H.26x

Encryption

Auth.RTP

Unreliable Transport/UDP, IPX Reliable Trans./TCP

Network Layer/IP, Network Security/IPsec

Link Layer

Physical Layer

Challenges for IP Telephony

NAT/Firewall Traversal Problem NAT= Network Address translation

IP Telephony uses UDP as transmissionprotocolIP Telephony uses dynamic port addressFor these protocols to pass the firewall, the specific static and the range of dynamic ports must be opened for all traffic.IP addresses are embedded in the payloadNAT only handles outgoing connections

NAT/Firewall Traversal Issue

X

Signaling & Control

In-boundMedia andRTP

Out-boundMedia Capabilitiesand RTP

Transient Ports

Firewall/NAT Solutions (1)Firewall/NAT Solutions (1)

Proxies (Multimedia Gateway)Proxies (Multimedia Gateway)- Designed to handle real-time - Designed to handle real-time communicationscommunications GatewaysGateways - Converts from IP to PSTN voice- Converts from IP to PSTN voiceApplication Level Gateways (ALG)Application Level Gateways (ALG)- Firewalls programmed to understand IP - Firewalls programmed to understand IP ProtocolsProtocolsDemilitarized Zone (DMZ)Demilitarized Zone (DMZ)- Overcomes problem by placing a MCU - Overcomes problem by placing a MCU

Multimedia Gateway (Proxy)Multimedia Gateway (Proxy)

Virtual Private Network (VPN)Virtual Private Network (VPN)A secure connection between two points A secure connection between two points across the Internetacross the Internet

TunnelingTunnelingThe process by which VPNs transfer The process by which VPNs transfer information by encapsulating traffic in IP information by encapsulating traffic in IP packets and sending the packets over packets and sending the packets over the Internetthe Internet

Firewall/NAT Solutions (2)Firewall/NAT Solutions (2)

ConclusionConclusion

VoIP just adds - more assets, more threat VoIP just adds - more assets, more threat locations, more vulnerabilities – to the data locations, more vulnerabilities – to the data network, because of new equipment, protocols, network, because of new equipment, protocols, and processes on the data networkand processes on the data network

To increase security and performance it’s To increase security and performance it’s recommended to use VPNs to separate VoIP recommended to use VPNs to separate VoIP from data traffic. from data traffic.

Instead of using VPN segmentation, users may Instead of using VPN segmentation, users may consider using a multimedia gateway or reverse consider using a multimedia gateway or reverse proxy. proxy.